]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/log
mirror_ubuntu-bionic-kernel.git
11 years agoUSB: mos7840: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:20 +0000 (09:21 +0100)]
USB: mos7840: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: mos7840: fix broken TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:19 +0000 (09:21 +0100)]
USB: mos7840: fix broken TIOCMIWAIT

Make sure waiting processes are woken on modem-status changes.

Currently processes are only woken on termios changes regardless of
whether the modem status has changed.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: mct_u232: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:18 +0000 (09:21 +0100)]
USB: mct_u232: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: io_ti: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:17 +0000 (09:21 +0100)]
USB: io_ti: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: io_edgeport: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:16 +0000 (09:21 +0100)]
USB: io_edgeport: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: ftdi_sio: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:15 +0000 (09:21 +0100)]
USB: ftdi_sio: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

When switching to tty ports, some lifetime assumptions were changed.
Specifically, close can now be called before the final tty reference is
dropped as part of hangup at device disconnect. Even with the ftdi
private-data refcounting this means that the port private data can be
freed while a process is sleeping on modem-status changes and thus
cannot be relied on to detect disconnects when woken up.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: f81232: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:14 +0000 (09:21 +0100)]
USB: f81232: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: cypress_m8: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:13 +0000 (09:21 +0100)]
USB: cypress_m8: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Also remove bogus test for private data pointer being NULL as it is
never assigned in the loop.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: ch341: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:12 +0000 (09:21 +0100)]
USB: ch341: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: ark3116: fix use-after-free in TIOCMIWAIT
Johan Hovold [Tue, 19 Mar 2013 08:21:11 +0000 (09:21 +0100)]
USB: ark3116: fix use-after-free in TIOCMIWAIT

Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: serial: add modem-status-change wait queue
Johan Hovold [Tue, 19 Mar 2013 08:21:10 +0000 (09:21 +0100)]
USB: serial: add modem-status-change wait queue

Add modem-status-change wait queue to struct usb_serial_port that
subdrivers can use to implement TIOCMIWAIT.

Currently subdrivers use a private wait queue which may have been
released when waking up after device disconnected.

Note that we're adding a new wait queue rather than reusing the tty-port
one as we do not want to get woken up at hangup (yet).

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: serial: fix interface refcounting
Johan Hovold [Tue, 19 Mar 2013 08:21:09 +0000 (09:21 +0100)]
USB: serial: fix interface refcounting

Make sure the interface is not released before our serial device.

Note that drivers are still not allowed to access the interface in
any way that may interfere with another driver that may have gotten
bound to the same interface after disconnect returns.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: io_ti: fix get_icount for two port adapters
Johan Hovold [Tue, 19 Mar 2013 08:21:08 +0000 (09:21 +0100)]
USB: io_ti: fix get_icount for two port adapters

Add missing get_icount field to two-port driver.

The two-port driver was not updated when switching to the new icount
interface in commit 0bca1b913aff ("tty: Convert the USB drivers to the
new icount interface").

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: garmin_gps: fix memory leak on disconnect
Johan Hovold [Tue, 19 Mar 2013 08:21:07 +0000 (09:21 +0100)]
USB: garmin_gps: fix memory leak on disconnect

Remove bogus disconnect test introduced by 95bef012e ("USB: more serial
drivers writing after disconnect") which prevented queued data from
being freed on disconnect.

The possible IO it was supposed to prevent is long gone.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: cdc-acm: fix device unregistration
Johan Hovold [Tue, 19 Mar 2013 08:21:06 +0000 (09:21 +0100)]
USB: cdc-acm: fix device unregistration

Unregister tty device in disconnect as is required by the USB stack.

By deferring unregistration to when the last tty reference is dropped,
the parent interface device can get unregistered before the child
resulting in broken hotplug events being generated when the tty is
finally closed:

KERNEL[2290.798128] remove   /devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1:3.1 (usb)
KERNEL[2290.804589] remove   /devices/pci0000:00/0000:00:1d.7/usb2/2-1 (usb)
KERNEL[2294.554799] remove   /2-1:3.1/tty/ttyACM0 (tty)

The driver must deal with tty callbacks after disconnect by checking the
disconnected flag. Specifically, further opens must be prevented and
this is already implemented.

Cc: stable <stable@vger.kernel.org>
Cc: Oliver Neukum <oneukum@suse.de>
Acked-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agousb: cdc-acm: fix error handling in acm_probe()
Alexey Khoroshilov [Fri, 15 Mar 2013 21:30:32 +0000 (01:30 +0400)]
usb: cdc-acm: fix error handling in acm_probe()

acm_probe() ignores errors in tty_port_register_device()
and leaves intfdata pointing to freed memory on alloc_fail7
error path. The patch fixes the both issues.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoMerge tag 'fixes-for-v3.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi...
Greg Kroah-Hartman [Thu, 21 Mar 2013 15:40:22 +0000 (08:40 -0700)]
Merge tag 'fixes-for-v3.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

usb: fixes for v3.9-rc4

udc-core learned that it shouldn't use invalid pointers
when unloading a gadget driver.

net2272 and net2280 got a fix for a regression caused by
the udc_start/udc_stop conversion.

We're defining a static inline no-op for otg_ulpi_create()
to prevent build errors when that driver isn't enabled.

FunctionFS got a fix for an off-by-one error when binding
and unbinding instances of FunctionFS.

MUSB learned that it shouldn't try to unmap buffers which
weren't previously mapped.

f_rndis got a fix for a possible NULL pointer dereference
in a debugging message code.

MUSB's DA8xx glue layer got a build fix due to a typo.

11 years agousb: gadget: net2272: finally convert "CONFIG_USB_GADGET_NET2272_DMA"
Paul Bolle [Wed, 20 Mar 2013 08:44:17 +0000 (09:44 +0100)]
usb: gadget: net2272: finally convert "CONFIG_USB_GADGET_NET2272_DMA"

The Kconfig symbol USB_GADGET_NET2272_DMA was renamed to USB_NET2272_DMA
in commit 193ab2a6070039e7ee2b9b9bebea754a7c52fd1b ("usb: gadget: allow
multiple gadgets to be built"). That commit did not convert the only
occurrence of the corresponding Kconfig macro. Convert that macro now.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agoUSB: EHCI: fix regression in QH unlinking
Alan Stern [Wed, 20 Mar 2013 19:07:26 +0000 (15:07 -0400)]
USB: EHCI: fix regression in QH unlinking

This patch (as1670) fixes a regression caused by commit
6402c796d3b4205d3d7296157956c5100a05d7d6 (USB: EHCI: work around
silicon bug in Intel's EHCI controllers).  The workaround goes through
two IAA cycles for each QH being unlinked.  During the first cycle,
the QH is not added to the async_iaa list (because it isn't fully gone
from the hardware yet), which means that list will be empty.

Unfortunately, I forgot to update the IAA watchdog timer routine.  It
thinks that an empty async_iaa list means the timer expiration was an
error, which isn't true any more.  This problem didn't show up during
initial testing because the controllers being tested all had working
IAA interrupts.  But not all controllers do, and when the watchdog
timer expires, the empty-list check prevents the second IAA cycle from
starting.  As a result, URB unlinks never complete.  The check needs
to be removed.

Among the symptoms of the regression are processes stuck in D wait
states and hangs during system shutdown.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Stephen Warren <swarren@wwwdotorg.org>
Reported-and-tested-by: Sven Joachim <svenjoac@gmx.de>
Reported-by: Andreas Bombe <aeb@debian.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agousb: gadget: f_rndis: Avoid to use ERROR macro if cdev can be null
Truls Bengtsson [Wed, 20 Mar 2013 13:02:25 +0000 (14:02 +0100)]
usb: gadget: f_rndis: Avoid to use ERROR macro if cdev can be null

The udc_irq service runs the isr_tr_complete_handler which in turn
"nukes" the endpoints, including a call to rndis_response_complete,
if appropriate. If the rndis_msg_parser fails here, an error will
be printed using a dev_err call (through the ERROR() macro).

However, if the usb cable was just disconnected the device (cdev)
might not be available and will be null. Since the dev_err macro will
dereference the cdev pointer we get a null pointer exception.

Reviewed-by: Radovan Lekanovic <radovan.lekanovic@sonymobile.com>
Signed-off-by: Truls Bengtsson <truls.bengtsson@sonymobile.com>
Signed-off-by: Oskar Andero <oskar.andero@sonymobile.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agousb: ulpi: Define a *otg_ulpi_create no-op
Fabio Estevam [Wed, 20 Mar 2013 13:35:44 +0000 (10:35 -0300)]
usb: ulpi: Define a *otg_ulpi_create no-op

Building a kernel for imx_v4_v5_defconfig with CONFIG_USB_ULPI disabled, results
in the following error:

arch/arm/mach-imx/built-in.o: In function 'pca100_init':
platform-mx2-emma.c:(.init.text+0x6788): undefined reference to 'otg_ulpi_create'
platform-mx2-emma.c:(.init.text+0x682c): undefined reference to 'mxc_ulpi_access_ops'

Fix this by providing a no-op definition of *otg_ulpi_create for the case when
CONFIG_USB_ULPI is not defined.

Acked-by: Igor Grinberg <grinberg@compulab.co.il>
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agousb: gadget: ffs: fix enable multiple instances
Andrzej Pietrasiewicz [Mon, 11 Mar 2013 15:32:14 +0000 (16:32 +0100)]
usb: gadget: ffs: fix enable multiple instances

This patch fixes an "off-by-one" bug found in
581791f (FunctionFS: enable multiple functions).

During gfs_bind/gfs_unbind the functionfs_bind/functionfs_unbind should be
called for every functionfs instance. With the "i" pre-decremented they
were not called for the zeroth instance.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: <stable@vger.kernel.org>
[ balbi@ti.com : added offending commit's subject ]

Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agoUSB: gadget: net2280: remove leftover driver->unbind call in error pathway
Alan Stern [Fri, 15 Mar 2013 18:03:17 +0000 (14:03 -0400)]
USB: gadget: net2280: remove leftover driver->unbind call in error pathway

This patch (as1667) removes an incorrect driver->unbind() call from
the net2280 driver.  If startup fails, the UDC core takes care of
unbinding the gadget driver automatically; the controller driver
shouldn't do it too.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agousb: gadget: udc-core: fix a regression during gadget driver unbinding
Alan Stern [Fri, 15 Mar 2013 18:02:14 +0000 (14:02 -0400)]
usb: gadget: udc-core: fix a regression during gadget driver unbinding

This patch (as1666) fixes a regression in the UDC core.  The core
takes care of unbinding gadget drivers, and it does the unbinding
before telling the UDC driver to turn off the controller hardware.
When the call to the udc_stop callback is made, the gadget no longer
has a driver.  The callback routine should not be invoked with a
pointer to the old driver; doing so can cause problems (such as
use-after-free accesses in net2280).

This patch should be applied, with appropriate context changes, to all
the stable kernels going back to 3.1.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agousb: gadget: net22xx: fix ->disconnect reporting
Felipe Balbi [Mon, 18 Mar 2013 08:14:47 +0000 (10:14 +0200)]
usb: gadget: net22xx: fix ->disconnect reporting

with the latest udc_start/udc_stop conversion,
too much code was deleted which ended up creating
a regression in net2272 and net2280 drivers.

To fix the regression we revert one hunk of the
original commits.

Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agoMerge tag 'for-usb-linus-2013-03-18' of git://git.kernel.org/pub/scm/linux/kernel...
Greg Kroah-Hartman [Mon, 18 Mar 2013 22:56:05 +0000 (15:56 -0700)]
Merge tag 'for-usb-linus-2013-03-18' of git://git.kernel.org/pub/scm/linux/kernel/git/sarah/xhci into usb-linus

Sarah writes:

xHCI bug fix for 3.9

Hi Greg,

Here's one xHCI bug fix.  We had two register bits flipped.

Sarah Sharp

11 years agoUSB: xhci - fix bit definitions for IMAN register
Dmitry Torokhov [Mon, 25 Feb 2013 18:56:01 +0000 (10:56 -0800)]
USB: xhci - fix bit definitions for IMAN register

According to XHCI specification (5.5.2.1) the IP is bit 0 and IE is bit 1
of IMAN register. Previously their definitions were reversed.

Even though there are no ill effects being observed from the swapped
definitions (because IMAN_IP is RW1C and in legacy PCI case we come in
with it already set to 1 so it was clearing itself even though we were
setting IMAN_IE instead of IMAN_IP), we should still correct the values.

This patch should be backported to kernels as old as 2.6.36, that
contain the commit 4e833c0b87a30798e67f06120cecebef6ee9644c "xhci: don't
re-enable IE constantly".

Signed-off-by: Dmitry Torokhov <dtor@vmware.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable@vger.kernel.org
11 years agousb: musb: gadget: do *unmap_dma_buffer* only for valid DMA addr
Kishon Vijay Abraham I [Fri, 15 Mar 2013 13:28:50 +0000 (18:58 +0530)]
usb: musb: gadget: do *unmap_dma_buffer* only for valid DMA addr

musb does not use DMA buffer for ep0 but it uses the same giveback
function *musb_g_giveback* for all endpoints (*musb_g_ep0_giveback* calls
*musb_g_giveback*). So for ep0 case request.dma will be '0'
and will result in kernel OOPS if tried to *unmap_dma_buffer* for requests in
ep0. Fixed it by doing *unmap_dma_buffer* only for valid DMA addr and
checking that musb_ep->dma is valid when unmapping.

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agoUSB: EHCI: fix regression during bus resume
Alan Stern [Fri, 15 Mar 2013 18:40:26 +0000 (14:40 -0400)]
USB: EHCI: fix regression during bus resume

This patch (as1663) fixes a regression caused by commit
6e0c3339a6f19d748f16091d0a05adeb1e1f822b (USB: EHCI: unlink one async
QH at a time).  In order to avoid keeping multiple QHs in an unusable
intermediate state, that commit changed unlink_empty_async() so that
it unlinks only one empty QH at a time.

However, when the EHCI root hub is suspended, _all_ async QHs need to
be unlinked.  ehci_bus_suspend() used to do this by calling
unlink_empty_async(), but now this only unlinks one of the QHs, not
all of them.

The symptom is that when the root hub is resumed, USB communications
don't work for some period of time.  This is because ehci-hcd doesn't
realize it needs to restart the async schedule; it assumes that
because some QHs are already on the schedule, the schedule must be
running.

The easiest way to fix the problem is add a new function that unlinks
all the async QHs when the root hub is suspended.

This patch should be applied to all kernels that have the 6e0c3339a6f1
commit.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Adrian Bassett <adrian.bassett@hotmail.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agousb-storage: add unusual_devs entry for Samsung YP-Z3 mp3 player
Dmitry Artamonow [Sat, 9 Mar 2013 16:30:58 +0000 (20:30 +0400)]
usb-storage: add unusual_devs entry for Samsung YP-Z3 mp3 player

Device stucks on filesystem writes, unless following quirk is passed:
  echo 04e8:5136:m > /sys/module/usb_storage/parameters/quirks

Add corresponding entry to unusual_devs.h

Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoUSB: xhci: correctly enable interrupts
Hannes Reinecke [Mon, 4 Mar 2013 16:14:43 +0000 (17:14 +0100)]
USB: xhci: correctly enable interrupts

xhci has its own interrupt enabling routine, which will try to
use MSI-X/MSI if present. So the usb core shouldn't try to enable
legacy interrupts; on some machines the xhci legacy IRQ setting
is invalid.

v3: Be careful to not break XHCI_BROKEN_MSI workaround (by trenn)

Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Oliver Neukum <oneukum@suse.de>
Cc: Thomas Renninger <trenn@suse.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Frederik Himpe <fhimpe@vub.ac.be>
Cc: David Haerdeman <david@hardeman.nu>
Cc: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reviewed-by: Thomas Renninger <trenn@suse.de>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoperf,x86: fix kernel crash with PEBS/BTS after suspend/resume
Stephane Eranian [Fri, 15 Mar 2013 13:26:07 +0000 (14:26 +0100)]
perf,x86: fix kernel crash with PEBS/BTS after suspend/resume

This patch fixes a kernel crash when using precise sampling (PEBS)
after a suspend/resume. Turns out the CPU notifier code is not invoked
on CPU0 (BP). Therefore, the DS_AREA (used by PEBS) is not restored properly
by the kernel and keeps it power-on/resume value of 0 causing any PEBS
measurement to crash when running on CPU0.

The workaround is to add a hook in the actual resume code to restore
the DS Area MSR value. It is invoked for all CPUS. So for all but CPU0,
the DS_AREA will be restored twice but this is harmless.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Stephane Eranian <eranian@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agomm/fremap.c: fix possible oops on error path
Michel Lespinasse [Thu, 14 Mar 2013 23:50:02 +0000 (16:50 -0700)]
mm/fremap.c: fix possible oops on error path

The vm_flags introduced in 6d7825b10dbe ("mm/fremap.c: fix oops on error
path") is supposed to avoid a compiler warning about unitialized
vm_flags without changing the generated code.

However I am concerned that this is going to be very brittle, and fail
with some compiler versions. The failure could be either of:

- compiler could actually load vma->vm_flags before checking for the
  !vma condition, thus reintroducing the oops

- compiler could optimize out the !vma check, since the pointer just got
  dereferenced shortly before (so the compiler knows it can't be NULL!)

I propose reversing this part of the change and initializing vm_flags to 0
just to avoid the bogus uninitialized use warning.

Signed-off-by: Michel Lespinasse <walken@google.com>
Cc: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoMerge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck...
Linus Torvalds [Thu, 14 Mar 2013 21:53:07 +0000 (14:53 -0700)]
Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu

Pull fix for hlist_entry_safe() regression from Paul McKenney:
 "This contains a single commit that fixes a regression in
  hlist_entry_safe().  This macro references its argument twice, which
  can cause NULL-pointer errors.  This commit applies a gcc statement
  expression, creating a temporary variable to avoid the double
  reference.  This has been posted to LKML at

    https://lkml.org/lkml/2013/3/9/75.

  Kudos to CAI Qian, whose testing uncovered this, to Eric Dumazet, who
  spotted root cause, and to Li Zefan, who tested this commit."

* 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu:
  list: Fix double fetch of pointer in hlist_entry_safe()

11 years agolist: Fix double fetch of pointer in hlist_entry_safe()
Paul E. McKenney [Sat, 9 Mar 2013 15:38:41 +0000 (07:38 -0800)]
list: Fix double fetch of pointer in hlist_entry_safe()

The current version of hlist_entry_safe() fetches the pointer twice,
once to test for NULL and the other to compute the offset back to the
enclosing structure.  This is OK for normal lock-based use because in
that case, the pointer cannot change.  However, when the pointer is
protected by RCU (as in "rcu_dereference(p)"), then the pointer can
change at any time.  This use case can result in the following sequence
of events:

1. CPU 0 invokes hlist_entry_safe(), fetches the RCU-protected
pointer as sees that it is non-NULL.

2. CPU 1 invokes hlist_del_rcu(), deleting the entry that CPU 0
just fetched a pointer to.  Because this is the last entry
in the list, the pointer fetched by CPU 0 is now NULL.

3. CPU 0 refetches the pointer, obtains NULL, and then gets a
NULL-pointer crash.

This commit therefore applies gcc's "({ })" statement expression to
create a temporary variable so that the specified pointer is fetched
only once, avoiding the above sequence of events.  Please note that
it is the caller's responsibility to use rcu_dereference() as needed.
This allows RCU-protected uses to work correctly without imposing
any additional overhead on the non-RCU case.

Many thanks to Eric Dumazet for spotting root cause!

Reported-by: CAI Qian <caiqian@redhat.com>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Tested-by: Li Zefan <lizefan@huawei.com>
11 years agoMerge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
Linus Torvalds [Thu, 14 Mar 2013 19:11:28 +0000 (12:11 -0700)]
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

Pull ext2, ext3, reiserfs, quota fixes from Jan Kara:
 "A fix for regression in ext2, and a format string issue in ext3.  The
  rest isn't too serious."

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  ext2: Fix BUG_ON in evict() on inode deletion
  reiserfs: Use kstrdup instead of kmalloc/strcpy
  ext3: Fix format string issues
  quota: add missing use of dq_data_lock in __dquot_initialize

11 years agousb: gadget: u_serial: fix typo which cause build warning
Bo Shen [Wed, 13 Mar 2013 08:54:07 +0000 (16:54 +0800)]
usb: gadget: u_serial: fix typo which cause build warning

fix typo error introduced by commit ea0e6276 (usb: gadget: add
multiple definition guards) which causes the following build warning:

  warning: "pr_vdebug" redefined

Signed-off-by: Bo Shen <voice.shen@atmel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agousb: musb: da8xx: Fix build breakage due to typo
Mikhail Kshevetskiy [Thu, 14 Mar 2013 09:18:29 +0000 (10:18 +0100)]
usb: musb: da8xx: Fix build breakage due to typo

Commit 032ec49f5351e9cb242b1a1c367d14415043ab95 (usb: musb: drop useless
board_mode usage) introduced a typo that breaks the build.

Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@gmail.com>
[ Fixed commit message ]

Cc: Mikhail Kshevetskiy <mikhail.kshevetskiy@gmail.com>
Cc: Sergei Shtylyov <sshtylyov@mvista.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Michael Riesch <michael.riesch@omicron.at>
Signed-off-by: Felipe Balbi <balbi@ti.com>
11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm...
Linus Torvalds [Wed, 13 Mar 2013 22:47:50 +0000 (15:47 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull namespace bugfixes from Eric Biederman:
 "This tree includes a partial revert for "fs: Limit sys_mount to only
  request filesystem modules." When I added the new style module aliases
  to the filesystems I deleted the old ones.  A bad move.  It turns out
  that distributions like Arch linux use module aliases when
  constructing ramdisks.  Which meant ultimately that an ext3 filesystem
  mounted with ext4 would not result in the ext4 module being put into
  the ramdisk.

  The other change in this tree adds a handful of filesystem module
  alias I simply failed to add the first time.  Which inconvinienced a
  few folks using cifs.

  I don't want to inconvinience folks any longer than I have to so here
  are these trivial fixes."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  fs: Readd the fs module aliases.
  fs: Limit sys_mount to only request filesystem modules. (Part 3)

11 years agoMerge branch 'akpm' (fixes from Andrew)
Linus Torvalds [Wed, 13 Mar 2013 22:21:57 +0000 (15:21 -0700)]
Merge branch 'akpm' (fixes from Andrew)

Merge misc fixes from Andrew Morton:

 - A bunch of fixes

 - Finish off the idr API conversions before someone starts to use the
   old interfaces again.

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  idr: idr_alloc() shouldn't trigger lowmem warning when preloaded
  UAPI: fix endianness conditionals in M32R's asm/stat.h
  UAPI: fix endianness conditionals in linux/raid/md_p.h
  UAPI: fix endianness conditionals in linux/acct.h
  UAPI: fix endianness conditionals in linux/aio_abi.h
  decompressors: fix typo "POWERPC"
  mm/fremap.c: fix oops on error path
  idr: deprecate idr_pre_get() and idr_get_new[_above]()
  tidspbridge: convert to idr_alloc()
  zcache: convert to idr_alloc()
  mlx4: remove leftover idr_pre_get() call
  workqueue: convert to idr_alloc()
  nfsd: convert to idr_alloc()
  nfsd: remove unused get_new_stid()
  kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER
  signal: always clear sa_restorer on execve
  mm: remove_memory(): fix end_pfn setting
  include/linux/res_counter.h needs errno.h

11 years agoidr: idr_alloc() shouldn't trigger lowmem warning when preloaded
Tejun Heo [Wed, 13 Mar 2013 21:59:49 +0000 (14:59 -0700)]
idr: idr_alloc() shouldn't trigger lowmem warning when preloaded

GFP_NOIO is often used for idr_alloc() inside preloaded section as the
allocation mask doesn't really matter.  If the idr tree needs to be
expanded, idr_alloc() first tries to allocate using the specified
allocation mask and if it fails falls back to the preloaded buffer.  This
order prevent non-preloading idr_alloc() users from taking advantage of
preloading ones by using preload buffer without filling it shifting the
burden of allocation to the preload users.

Unfortunately, this allowed/expected-to-fail kmem_cache allocation ends up
generating spurious slab lowmem warning before succeeding the request from
the preload buffer.

This patch makes idr_layer_alloc() add __GFP_NOWARN to the first
kmem_cache attempt and try kmem_cache again w/o __GFP_NOWARN after
allocation from preload_buffer fails so that lowmem warning is generated
if not suppressed by the original @gfp_mask.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: David Teigland <teigland@redhat.com>
Tested-by: David Teigland <teigland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoUAPI: fix endianness conditionals in M32R's asm/stat.h
David Howells [Wed, 13 Mar 2013 21:59:48 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in M32R's asm/stat.h

In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).

However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.

The definition of struct stat64 in M32R's asm/stat.h is wrong in this way.
 Note that userspace will likely interpret the field order incorrectly as
the big-endian variant on little-endian machines - depending on header
inclusion order.

[!!!] NOTE [!!!]  This patch may adversely change the userspace API.  It might
be better to fix the ordering of st_blocks and __pad4 in struct stat64.

Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Hirokazu Takata <takata@linux-m32r.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoUAPI: fix endianness conditionals in linux/raid/md_p.h
David Howells [Wed, 13 Mar 2013 21:59:47 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in linux/raid/md_p.h

In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).

However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.

The definition of struct mdp_superblock_s in linux/raid/md_p.h is wrong in
this way.  Note that userspace will likely interpret the ordering of the
fields incorrectly as the big-endian variant on a little-endian machines -
depending on header inclusion order.

[!!!] NOTE [!!!]  This patch may adversely change the userspace API.  It might
be better to fix the ordering of events_hi, events_lo, cp_events_hi and
cp_events_lo in struct mdp_superblock_s / typedef mdp_super_t.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: NeilBrown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoUAPI: fix endianness conditionals in linux/acct.h
David Howells [Wed, 13 Mar 2013 21:59:46 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in linux/acct.h

In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).

However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.

The definition of ACCT_BYTEORDER in linux/acct.h is wrong in this way.
Note that userspace will likely interpret this incorrectly as the
big-endian variant on little-endian machines - depending on header
inclusion order.

[!!!] NOTE [!!!]  This patch may adversely change the userspace API.  It might
be better to fix the value of ACCT_BYTEORDER.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoUAPI: fix endianness conditionals in linux/aio_abi.h
David Howells [Wed, 13 Mar 2013 21:59:45 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in linux/aio_abi.h

In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).

However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.

The definition of PADDED() in linux/aio_abi.h is wrong in this way.  Note
that userspace will likely interpret this and thus the order of fields in
struct iocb incorrectly as the little-endian variant on big-endian
machines - depending on header inclusion order.

[!!!] NOTE [!!!]  This patch may adversely change the userspace API.  It might
be better to fix the ordering of aio_key and aio_reserved1 in struct iocb.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agodecompressors: fix typo "POWERPC"
Paul Bolle [Wed, 13 Mar 2013 21:59:44 +0000 (14:59 -0700)]
decompressors: fix typo "POWERPC"

Commit 5dc49c75a26b ("decompressors: make the default XZ_DEC_* config
match the selected architecture") added

default y if POWERPC

to lib/xz/Kconfig.  But there is no Kconfig symbol POWERPC.  The most
general Kconfig symbol for the powerpc architecture is PPC.  So let's
use that.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: Florian Fainelli <florian@openwrt.org>
Cc: Lasse Collin <lasse.collin@tukaani.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agomm/fremap.c: fix oops on error path
Andrew Morton [Wed, 13 Mar 2013 21:59:43 +0000 (14:59 -0700)]
mm/fremap.c: fix oops on error path

If find_vma() fails, sys_remap_file_pages() will dereference `vma', which
contains NULL.  Fix it by checking the pointer.

(We could alternatively check for err==0, but this seems more direct)

(The vm_flags change is to squish a bogus used-uninitialised warning
without adding extra code).

Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoidr: deprecate idr_pre_get() and idr_get_new[_above]()
Tejun Heo [Wed, 13 Mar 2013 21:59:42 +0000 (14:59 -0700)]
idr: deprecate idr_pre_get() and idr_get_new[_above]()

Now that all in-kernel users are converted to ues the new alloc
interface, mark the old interface deprecated.  We should be able to
remove these in a few releases.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agotidspbridge: convert to idr_alloc()
Tejun Heo [Wed, 13 Mar 2013 21:59:41 +0000 (14:59 -0700)]
tidspbridge: convert to idr_alloc()

idr_get_new*() and friends are about to be deprecated.  Convert to the
new idr_alloc() interface.

There are some peculiarities and possible bugs in the converted
functions.  This patch preserves those.

* drv_insert_node_res_element() returns -ENOMEM on alloc failure,
  -EFAULT if id space is exhausted.  -EFAULT is at best misleading.

* drv_proc_insert_strm_res_element() is even weirder.  It returns
  -EFAULT if kzalloc() fails, -ENOMEM if idr preloading fails and
  -EPERM if id space is exhausted.  What's going on here?

* drv_proc_insert_strm_res_element() doesn't free *pstrm_res after
  failure.

Only compile tested.

Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Víctor Manuel Jáquez Leal <vjaquez@igalia.com>
Cc: Rene Sapiens <rene.sapiens@ti.com>
Cc: Armando Uribe <x0095078@ti.com>
Cc: Omar Ramirez Luna <omar.ramirez@ti.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agozcache: convert to idr_alloc()
Tejun Heo [Wed, 13 Mar 2013 21:59:40 +0000 (14:59 -0700)]
zcache: convert to idr_alloc()

idr_get_new*() and friends are about to be deprecated.  Convert to the
new idr_alloc() interface.

Only compile tested.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Dan Magenheimer <dan.magenheimer@oracle.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agomlx4: remove leftover idr_pre_get() call
Tejun Heo [Wed, 13 Mar 2013 21:59:39 +0000 (14:59 -0700)]
mlx4: remove leftover idr_pre_get() call

Commit 6a9200603d76 ("IB/mlx4: convert to idr_alloc()") forgot to remove
idr_pre_get() call in mlx4_ib_cm_paravirt_init().  It's unnecessary and
idr_pre_get() will soon be deprecated.  Remove it.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jack Morgenstein <jackm@dev.mellanox.co.il>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoworkqueue: convert to idr_alloc()
Tejun Heo [Wed, 13 Mar 2013 21:59:38 +0000 (14:59 -0700)]
workqueue: convert to idr_alloc()

idr_get_new*() and friends are about to be deprecated.  Convert to the
new idr_alloc() interface.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agonfsd: convert to idr_alloc()
Tejun Heo [Wed, 13 Mar 2013 21:59:37 +0000 (14:59 -0700)]
nfsd: convert to idr_alloc()

idr_get_new*() and friends are about to be deprecated.  Convert to the
new idr_alloc() interface.

Only compile-tested.

Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: J. Bruce Fields <bfields@redhat.com>
Tested-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agonfsd: remove unused get_new_stid()
Tejun Heo [Wed, 13 Mar 2013 21:59:36 +0000 (14:59 -0700)]
nfsd: remove unused get_new_stid()

get_new_stid() is no longer used since commit 3abdb607125 ("nfsd4:
simplify idr allocation").  Remove it.

Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agokernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER
Andrew Morton [Wed, 13 Mar 2013 21:59:34 +0000 (14:59 -0700)]
kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER

__ARCH_HAS_SA_RESTORER is the preferred conditional for use in 3.9 and
later kernels, per Kees.

Cc: Emese Revfy <re.emese@gmail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Julien Tinnes <jln@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agosignal: always clear sa_restorer on execve
Kees Cook [Wed, 13 Mar 2013 21:59:33 +0000 (14:59 -0700)]
signal: always clear sa_restorer on execve

When the new signal handlers are set up, the location of sa_restorer is
not cleared, leaking a parent process's address space location to
children.  This allows for a potential bypass of the parent's ASLR by
examining the sa_restorer value returned when calling sigaction().

Based on what should be considered "secret" about addresses, it only
matters across the exec not the fork (since the VMAs haven't changed
until the exec).  But since exec sets SIG_DFL and keeps sa_restorer,
this is where it should be fixed.

Given the few uses of sa_restorer, a "set" function was not written
since this would be the only use.  Instead, we use
__ARCH_HAS_SA_RESTORER, as already done in other places.

Example of the leak before applying this patch:

  $ cat /proc/$$/maps
  ...
  7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
  ...
  $ ./leak
  ...
  7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
  ...
  1 0 (nil) 0x7fb9f30b94a0
  2 4000000 (nil) 0x7f278bcaa4a0
  3 4000000 (nil) 0x7f278bcaa4a0
  4 0 (nil) 0x7fb9f30b94a0
  ...

[akpm@linux-foundation.org: use SA_RESTORER for backportability]
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Julien Tinnes <jln@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agomm: remove_memory(): fix end_pfn setting
Toshi Kani [Wed, 13 Mar 2013 21:59:31 +0000 (14:59 -0700)]
mm: remove_memory(): fix end_pfn setting

remove_memory() calls walk_memory_range() with [start_pfn, end_pfn), where
end_pfn is exclusive in this range.  Therefore, end_pfn needs to be set to
the next page of the end address.

Signed-off-by: Toshi Kani <toshi.kani@hp.com>
Cc: Wen Congyang <wency@cn.fujitsu.com>
Cc: Tang Chen <tangchen@cn.fujitsu.com>
Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Jiang Liu <jiang.liu@huawei.com>
Cc: Jianguo Wu <wujianguo@huawei.com>
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
Cc: Wu Jianguo <wujianguo@huawei.com>
Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoinclude/linux/res_counter.h needs errno.h
Andrew Morton [Wed, 13 Mar 2013 21:59:30 +0000 (14:59 -0700)]
include/linux/res_counter.h needs errno.h

alpha allmodconfig:

  In file included from mm/memcontrol.c:28:
  include/linux/res_counter.h: In function 'res_counter_set_limit':
  include/linux/res_counter.h:203: error: 'EBUSY' undeclared (first use in this function)
  include/linux/res_counter.h:203: error: (Each undeclared identifier is reported only once
  include/linux/res_counter.h:203: error: for each function it appears in.)

Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Glauber Costa <glommer@parallels.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Frederic Weisbecker <fweisbec@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoMerge tag 'usb-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Linus Torvalds [Wed, 13 Mar 2013 22:03:48 +0000 (15:03 -0700)]
Merge tag 'usb-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg Kroah-Hartman:
 "Here are a number of tiny USB fixes and new USB device ids for your
  3.9 tree.

  The "largest" one here is a revert of a usb-storage patch that turned
  out to be incorrect, breaking existing users, which is never a good
  thing.  Everything else is pretty simple and small"

* tag 'usb-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (43 commits)
  USB: quatech2: only write to the tty if the port is open.
  qcserial: bind to DM/DIAG port on Gobi 1K devices
  USB: cdc-wdm: fix buffer overflow
  usb: serial: Add Rigblaster Advantage to device table
  qcaux: add Franklin U600
  usb: musb: core: fix possible build error with randconfig
  usb: cp210x new Vendor/Device IDs
  usb: gadget: pxa25x: fix disconnect reporting
  usb: dwc3: ep0: fix sparc64 build
  usb: c67x00 RetryCnt value in c67x00 TD should be 3
  usb: Correction to c67x00 TD data length mask
  usb: Makefile: fix drivers/usb/phy/ Makefile entry
  USB: added support for Cinterion's products AH6 and PLS8
  usb: gadget: fix omap_udc build errors
  USB: storage: fix Huawei mode switching regression
  USB: storage: in-kernel modeswitching is deprecated
  tools: usb: ffs-test: Fix build failure
  USB: option: add Huawei E5331
  usb: musb: omap2430: fix sparse warning
  usb: musb: omap2430: fix omap_musb_mailbox glue check again
  ...

11 years agoMerge tag 'tty-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Linus Torvalds [Wed, 13 Mar 2013 22:02:02 +0000 (15:02 -0700)]
Merge tag 'tty-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty/serial fixes from Greg Kroah-Hartman:
 "Here are some tty/serial driver fixes for 3.9

  We finally mute the annoying WARN_ON that lots of people are hitting
  and it turns out isn't needed anymore.  Also add a few new device ids
  and a some other minor fixes."

* tag 'tty-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  tty: serial: fix typo "SERIAL_S3C2412"
  serial: 8250: Keep 8250.<xxxx> module options functional after driver rename
  tty: serial: fix typo "ARCH_S5P6450"
  tty/8250_pnp: serial port detection regression since v3.7
  serial: bcm63xx_uart: fix compilation after "TTY: switch tty_insert_flip_char"
  serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller
  Fix 4 port and add support for 8 port 'Unknown' PCI serial port cards
  tty/serial: Add support for Altera serial port
  tty: serial: vt8500: Unneccessary duplicated clock code removed
  tty: serial: mpc5xxx: fix PSC clock name bug
  TTY: disable debugging warning

11 years agoMerge tag 'staging-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh...
Linus Torvalds [Wed, 13 Mar 2013 22:01:08 +0000 (15:01 -0700)]
Merge tag 'staging-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging tree fixes from Greg Kroah-Hartman:
 "Here are some drivers/staging and drivers/iio fixes for 3.9 (the two
  are still pretty intertwined, hence them coming both from my tree
  still.) Nothing major, just a few things that have been reported by
  users, all of these have been in linux-next for a while."

* tag 'staging-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: comedi: dt9812: use CR_CHAN() for channel number
  staging/vt6656: Fix too large integer constant warning on 32-bit
  staging: comedi: drivers: usbduxsigma.c: fix DMA buffers on stack
  staging: imx/drm: request irq only after adding the crtc
  staging: comedi: drivers: usbduxfast.c: fix for DMA buffers on stack
  staging: comedi: drivers: usbdux.c: fix DMA buffers on stack
  staging: vt6656: Fix oops on resume from suspend.
  iio:common:st_sensors fixed all warning messages about uninitialized variables
  iio: Fix build error seen if IIO_TRIGGER is defined but IIO_BUFFER is not
  iio/imu: inv_mpu6050 depends on IIO_BUFFER
  iio:ad5064: Initialize register cache correctly
  iio:ad5064: Fix off by one in DAC value range check
  iio:ad5064: Fix address of the second channel for ad5065/ad5045/ad5025

11 years agouserns: Don't allow CLONE_NEWUSER | CLONE_FS
Eric W. Biederman [Wed, 13 Mar 2013 18:51:49 +0000 (11:51 -0700)]
userns: Don't allow CLONE_NEWUSER | CLONE_FS

Don't allowing sharing the root directory with processes in a
different user namespace.  There doesn't seem to be any point, and to
allow it would require the overhead of putting a user namespace
reference in fs_struct (for permission checks) and incrementing that
reference count on practically every call to fork.

So just perform the inexpensive test of forbidding sharing fs_struct
acrosss processes in different user namespaces.  We already disallow
other forms of threading when unsharing a user namespace so this
should be no real burden in practice.

This updates setns, clone, and unshare to disallow multiple user
namespaces sharing an fs_struct.

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoUSB: quatech2: only write to the tty if the port is open.
Bill Pemberton [Wed, 13 Mar 2013 13:50:15 +0000 (09:50 -0400)]
USB: quatech2: only write to the tty if the port is open.

The commit 2e124b4a390ca85325fae75764bef92f0547fa25 removed the checks
that prevented qt2_process_read_urb() from trying to put chars into
ttys that weren't actually opened.  This resulted in 'tty is NULL'
warnings from flush_to_ldisc() when the device was used.

The devices use just one read urb for all ports.  As a result
qt2_process_read_urb() may be called with the current port set to a
port number that has not been opened.  Add a check if the port is open
before calling tty_flip_buffer_push().

Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoqcserial: bind to DM/DIAG port on Gobi 1K devices
Dan Williams [Wed, 13 Mar 2013 14:58:18 +0000 (09:58 -0500)]
qcserial: bind to DM/DIAG port on Gobi 1K devices

Turns out we just need altsetting 1 and then we can talk to it.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoext2: Fix BUG_ON in evict() on inode deletion
Jan Kara [Wed, 13 Mar 2013 11:57:08 +0000 (12:57 +0100)]
ext2: Fix BUG_ON in evict() on inode deletion

Commit 8e3dffc6 introduced a regression where deleting inode with
large extended attributes leads to triggering
  BUG_ON(inode->i_state != (I_FREEING | I_CLEAR))
in fs/inode.c:evict(). That happens because freeing of xattr block
dirtied the inode and it happened after clear_inode() has been called.

Fix the issue by moving removal of xattr block into ext2_evict_inode()
before clear_inode() call close to a place where data blocks are
truncated. That is also more logical place and removes surprising
requirement that ext2_free_blocks() mustn't dirty the inode.

Reported-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Jan Kara <jack@suse.cz>
11 years agofutex: fix kernel-doc notation and spello
Randy Dunlap [Tue, 5 Mar 2013 18:00:24 +0000 (10:00 -0800)]
futex: fix kernel-doc notation and spello

Fix kernel-doc warning in futex.c and convert 'Returns' to the new Return:
kernel-doc notation format.

  Warning(kernel/futex.c:2286): Excess function parameter 'clockrt' description in 'futex_wait_requeue_pi'

Fix one spello.

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agosignals: fix new kernel-doc warnings
Randy Dunlap [Mon, 4 Mar 2013 22:32:59 +0000 (14:32 -0800)]
signals: fix new kernel-doc warnings

Fix new kernel-doc warnings in kernel/signal.c:

  Warning(kernel/signal.c:2689): No description found for parameter 'uset'
  Warning(kernel/signal.c:2689): Excess function parameter 'set' description in 'sys_rt_sigpending'

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoidr: fix new kernel-doc warnings
Randy Dunlap [Mon, 4 Mar 2013 22:32:54 +0000 (14:32 -0800)]
idr: fix new kernel-doc warnings

Fix new kernel-doc warnings in idr:

  Warning(include/linux/idr.h:113): No description found for parameter 'idr'
  Warning(include/linux/idr.h:113): Excess function parameter 'idp' description in 'idr_find'
  Warning(lib/idr.c:232): Excess function parameter 'id' description in 'sub_alloc'
  Warning(lib/idr.c:232): Excess function parameter 'id' description in 'sub_alloc'

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoMerge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty...
Linus Torvalds [Wed, 13 Mar 2013 03:28:45 +0000 (20:28 -0700)]
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

Pull virtio rng buffix from Rusty Russell:
 "Simple virtio-rng fix."

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
  virtio: rng: disallow multiple device registrations, fixes crashes

11 years agoMerge tag 'stable/for-linus-3.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Wed, 13 Mar 2013 03:25:53 +0000 (20:25 -0700)]
Merge tag 'stable/for-linus-3.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

Pull Xen fixes from Konrad Rzeszutek Wilk:
 - Compile warnings and errors (one on x86, two on ARM)
 - WARNING in xen-pciback
 - Use the acpi_processor_get_performance_info instead of the 'register'
   version

* tag 'stable/for-linus-3.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen/acpi: remove redundant acpi/acpi_drivers.h include
  xen: arm: mandate EABI and use generic atomic operations.
  acpi: Export the acpi_processor_get_performance_info
  xen/pciback: Don't disable a PCI device that is already disabled.

11 years agofs: Readd the fs module aliases.
Eric W. Biederman [Wed, 13 Mar 2013 01:27:41 +0000 (18:27 -0700)]
fs: Readd the fs module aliases.

I had assumed that the only use of module aliases for filesystems
prior to "fs: Limit sys_mount to only request filesystem modules."
was in request_module.  It turns out I was wrong.  At least mkinitcpio
in Arch linux uses these aliases.

So readd the preexising aliases, to keep from breaking userspace.

Userspace eventually will have to follow and use the same aliases the
kernel does.  So at some point we may be delete these aliases without
problems.  However that day is not today.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
11 years agoUSB: cdc-wdm: fix buffer overflow
Oliver Neukum [Tue, 12 Mar 2013 13:52:42 +0000 (14:52 +0100)]
USB: cdc-wdm: fix buffer overflow

The buffer for responses must not overflow.
If this would happen, set a flag, drop the data and return
an error after user space has read all remaining data.

Signed-off-by: Oliver Neukum <oliver@neukum.org>
CC: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoSelect VIRT_TO_BUS directly where needed
Stephen Rothwell [Thu, 7 Mar 2013 04:48:16 +0000 (15:48 +1100)]
Select VIRT_TO_BUS directly where needed

In commit 887cbce0adea ("arch Kconfig: centralise ARCH_NO_VIRT_TO_BUS")
I introduced the config sybmol HAVE_VIRT_TO_BUS and selected that where
needed.  I am not sure what I was thinking.  Instead, just directly
select VIRT_TO_BUS where it is needed.

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoFix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
Mathieu Desnoyers [Mon, 25 Feb 2013 15:20:36 +0000 (10:20 -0500)]
Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys

Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
compat_process_vm_rw() shows that the compatibility code requires an
explicit "access_ok()" check before calling
compat_rw_copy_check_uvector(). The same difference seems to appear when
we compare fs/read_write.c:do_readv_writev() to
fs/compat.c:compat_do_readv_writev().

This subtle difference between the compat and non-compat requirements
should probably be debated, as it seems to be error-prone. In fact,
there are two others sites that use this function in the Linux kernel,
and they both seem to get it wrong:

Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
also ends up calling compat_rw_copy_check_uvector() through
aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
be missing. Same situation for
security/keys/compat.c:compat_keyctl_instantiate_key_iov().

I propose that we add the access_ok() check directly into
compat_rw_copy_check_uvector(), so callers don't have to worry about it,
and it therefore makes the compat call code similar to its non-compat
counterpart. Place the access_ok() check in the same location where
copy_from_user() can trigger a -EFAULT error in the non-compat code, so
the ABI behaviors are alike on both compat and non-compat.

While we are here, fix compat_do_readv_writev() so it checks for
compat_rw_copy_check_uvector() negative return values.

And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
handling.

Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Tue, 12 Mar 2013 17:37:14 +0000 (10:37 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm nouveau fixes from Dave Airlie:
 "This is just nouveau fixes from Ben, one fixes a nasty oops that some
  Fedora people have been seeing, so I'd like to get it out of the way."

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/nv50: use correct tiling methods for m2mf buffer moves
  drm/nouveau: idle channel before releasing notify object
  drm/nouveau: fix regression in vblanking
  drm/nv50: encoder creation failure doesn't mean full init failure

11 years agoMerge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Linus Torvalds [Tue, 12 Mar 2013 17:21:38 +0000 (10:21 -0700)]
Merge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Arnd Bergmann:
 "These bug fixes are for the largest part for mvebu/kirkwood, which saw
  a few regressions after the clock infrastructure was enabled, and for
  OMAP, which showed a few more preexisting bugs with the new
  multiplatform support.

  Other small fixes are for imx, mxs, tegra, spear and socfpga"

* tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (37 commits)
  ARM: spear3xx: Use correct pl080 header file
  Arm: socfpga: pl330: Add #dma-cells for generic dma binding support
  ARM: multiplatform: Sort the max gpio numbers.
  ARM: imx: fix typo "DEBUG_IMX50_IMX53_UART"
  ARM: imx: pll1_sys should be an initial on clk
  arm: mach-orion5x: fix typo in compatible string of a .dts file
  arm: mvebu: fix address-cells in mpic DT node
  arm: plat-orion: fix address decoding when > 4GB is used
  arm: mvebu: Reduce reg-io-width with UARTs
  ARM: Dove: add RTC device node
  arm: mvebu: enable the USB ports on Armada 370 Reference Design board
  ARM: dove: drop "select COMMON_CLK_DOVE"
  rtc: rtc-mv: Add support for clk to avoid lockups
  gpio: mvebu: Add clk support to prevent lockup
  ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels
  ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency
  ARM: mxs: cfa10049: Fix fb initialisation function
  ARM: SPEAr13xx: Fix typo "ARCH_HAVE_CPUFREQ"
  ARM: OMAP: RX-51: add missing USB phy binding
  clk: Tegra: Remove duplicate smp_twd clock
  ...

11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu
Linus Torvalds [Tue, 12 Mar 2013 17:20:15 +0000 (10:20 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu

Pull m68knommu fixes from Greg Ungerer:
 "It contains a few small fixes for the non-MMU m68k platforms.  Fixes
  some compilation problems, some broken header definitions, removes an
  unused config option and adds a name for the old 68000 CPU support."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
  m68k: drop "select EMAC_INC"
  m68knommu: fix misnamed GPIO pin definition for ColdFire 528x CPU
  m68knommu: fix MC68328.h defines
  m68knommu: fix build when CPU is not coldfire
  m68knommu: add CPU_NAME for 68000

11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
Linus Torvalds [Tue, 12 Mar 2013 16:36:19 +0000 (09:36 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull key management race fix from James Morris.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  keys: fix race with concurrent install_user_keyrings()

11 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph...
Linus Torvalds [Tue, 12 Mar 2013 16:22:42 +0000 (09:22 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client

Pull Ceph fix from Sage Weil:
 "This fixes a bug in the new message decoding that just went in during
  the last window."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  libceph: fix decoding of pgids

11 years agoMerge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux
Linus Torvalds [Tue, 12 Mar 2013 16:20:58 +0000 (09:20 -0700)]
Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux

Pull nfsd bugfixes from Bruce Fields:
 "Some minor fallout from the user-namespace work broke most krb5 mounts
  to nfsd, and I screwed up a change to the AF_LOCAL rpc code."

* 'for-3.9' of git://linux-nfs.org/~bfields/linux:
  sunrpc: don't attempt to cancel unitialized work
  nfsd: fix krb5 handling of anonymous principals

11 years agousb: serial: Add Rigblaster Advantage to device table
Steve Conklin [Thu, 7 Mar 2013 23:19:33 +0000 (17:19 -0600)]
usb: serial: Add Rigblaster Advantage to device table

The Rigblaster Advantage is an amateur radio interface sold by West Mountain
Radio. It contains a cp210x serial interface but the device ID is not in
the driver.

Signed-off-by: Steve Conklin <sconklin@canonical.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotty: serial: fix typo "SERIAL_S3C2412"
Paul Bolle [Tue, 12 Mar 2013 09:10:32 +0000 (10:10 +0100)]
tty: serial: fix typo "SERIAL_S3C2412"

The Kconfig symbol SERIAL_S3C2412 got removed in commit
da121506eb03ee5daea55404709110b798bd61d9 ("serial: samsung: merge
probe() function from all SoC specific extensions"). But it also added a
last reference to that symbol. The commit and the tree make clear that
CPU_S3C2412 should have been used instead.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoserial: 8250: Keep 8250.<xxxx> module options functional after driver rename
Josh Boyer [Sun, 10 Mar 2013 14:33:40 +0000 (10:33 -0400)]
serial: 8250: Keep 8250.<xxxx> module options functional after driver rename

With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the
8250 driver was renamed to 8250_core.  This means any existing usage of
the 8259.<xxxx> module parameters or as a kernel command line switch is
now broken, as the 8250_core driver doesn't parse options belonging to
something called "8250".

To solve this, we redefine the module options in a dummy function using
a redefined MODULE_PARAM_PREFX when built into the kernel.  In the case
where we're building as a module, we provide an alias to the old 8250
name.  The dummy function prevents compiler errors due to global variable
redefinitions that happen as part of the module_param_ macro expansions.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Acked-by: Jiri Slaby <jslaby@suse.cz>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotty: serial: fix typo "ARCH_S5P6450"
Paul Bolle [Sat, 9 Mar 2013 22:16:44 +0000 (23:16 +0100)]
tty: serial: fix typo "ARCH_S5P6450"

This could have been either ARCH_S5P64X0 or CPU_S5P6450. Looking at
commit 2555e663b367b8d555e76023f4de3f6338c28d6c ("ARM: S5P64X0: Add UART
serial support for S5P6450") - which added this typo - makes clear this
should be CPU_S5P6450.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Acked-by: Kukjin Kim <kgene.kim@samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotty/8250_pnp: serial port detection regression since v3.7
Sean Young [Fri, 22 Feb 2013 16:27:19 +0000 (16:27 +0000)]
tty/8250_pnp: serial port detection regression since v3.7

The InsydeH2O BIOS (version dated 09/12/2011) has the following in
its pnp resouces for its serial ports:

$ cat /sys/bus/pnp/devices/00:0b/resources
state = active
io disabled
irq disabled

We do not check if the resources are disabled, and create a bogus
ttyS* device. Since commit 835d844d1a28e (8250_pnp: do pnp probe
before legacy probe) we get a bogus ttyS0, which prevents the legacy
probe from detecting it.

Note, the BIOS can also be upgraded, fixing this problem, but for people
who can't do that, this fix is needed.

Reported-by: Vincent Deffontaines <vincent@gryzor.com>
Tested-by: Vincent Deffontaines <vincent@gryzor.com>
Signed-off-by: Sean Young <sean@mess.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoserial: bcm63xx_uart: fix compilation after "TTY: switch tty_insert_flip_char"
Jonas Gorski [Sun, 24 Feb 2013 13:08:39 +0000 (14:08 +0100)]
serial: bcm63xx_uart: fix compilation after "TTY: switch tty_insert_flip_char"

92a19f9cec9a80ad93c06e115822deb729e2c6ad introduced a local variable
with the same name as the argument to bcm_uart_do_rx, breaking
compilation. Fix this by renaming the new variable and its uses where
expected.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>
Acked-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoserial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi...
Wang YanQing [Fri, 1 Mar 2013 03:47:20 +0000 (11:47 +0800)]
serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller

01:08.0 Communication controller: NetMos Technology PCI 9835 Multi-I/O Controller (rev 01)
Subsystem: Device [1000:0012]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 20
Region 0: I/O ports at e050 [size=8]
Region 1: I/O ports at e040 [size=8]
Region 2: I/O ports at e030 [size=8]
Region 3: I/O ports at e020 [size=8]
Region 4: I/O ports at e010 [size=8]
Region 5: I/O ports at e000 [size=16]

Signed-off-by: Wang YanQing <udknight@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agoFix 4 port and add support for 8 port 'Unknown' PCI serial port cards
Scott Ashcroft [Sun, 3 Mar 2013 21:35:06 +0000 (21:35 +0000)]
Fix 4 port and add support for 8 port 'Unknown' PCI serial port cards

I've managed to find an 8 port version of the card 4 port card which was discussed here:

http://marc.info/?l=linux-serial&m=120760744205314&w=2

Looking back at that thread there were two issues in the original patch.

1) The I/O ports for the UARTs are within BAR2 not BAR0. This can been seen in the original post.
2) A serial quirk isn't needed as these cards have no memory in BAR0 which makes pci_plx9050_init just return.

This patch fixes the 4 port support to use BAR2, removes the bogus quirk and adds support for the 8 port card.

$ lspci -vvv -n -s 00:08.0
00:08.0 0780: 10b5:9050 (rev 01)
Subsystem: 10b5:1588
Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 17
Region 1: I/O ports at ff00 [size=128]
Region 2: I/O ports at fe00 [size=64]
Region 3: I/O ports at fd00 [size=8]
Capabilities: <access denied>
Kernel driver in use: serial

$ dmesg | grep 0000:00:08.0:
[    0.083320] pci 0000:00:08.0: [10b5:9050] type 0 class 0x000780
[    0.083355] pci 0000:00:08.0: reg 14: [io  0xff00-0xff7f]
[    0.083369] pci 0000:00:08.0: reg 18: [io  0xfe00-0xfe3f]
[    0.083382] pci 0000:00:08.0: reg 1c: [io  0xfd00-0xfd07]
[    0.083460] pci 0000:00:08.0: PME# supported from D0 D3hot
[    1.212867] 0000:00:08.0: ttyS4 at I/O 0xfe00 (irq = 17) is a 16550A
[    1.233073] 0000:00:08.0: ttyS5 at I/O 0xfe08 (irq = 17) is a 16550A
[    1.253270] 0000:00:08.0: ttyS6 at I/O 0xfe10 (irq = 17) is a 16550A
[    1.273468] 0000:00:08.0: ttyS7 at I/O 0xfe18 (irq = 17) is a 16550A
[    1.293666] 0000:00:08.0: ttyS8 at I/O 0xfe20 (irq = 17) is a 16550A
[    1.313863] 0000:00:08.0: ttyS9 at I/O 0xfe28 (irq = 17) is a 16550A
[    1.334061] 0000:00:08.0: ttyS10 at I/O 0xfe30 (irq = 17) is a 16550A
[    1.354258] 0000:00:08.0: ttyS11 at I/O 0xfe38 (irq = 17) is a 16550A

Signed-off-by: Scott Ashcroft <scott.ashcroft@talk21.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotty/serial: Add support for Altera serial port
Ley Foon Tan [Thu, 7 Mar 2013 02:28:37 +0000 (10:28 +0800)]
tty/serial: Add support for Altera serial port

Add support for Altera 8250/16550 compatible serial port.

Signed-off-by: Ley Foon Tan <lftan@altera.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotty: serial: vt8500: Unneccessary duplicated clock code removed
Tony Prisk [Sat, 9 Mar 2013 05:44:37 +0000 (18:44 +1300)]
tty: serial: vt8500: Unneccessary duplicated clock code removed

Remove the extra code left over when the serial driver was changed
to require a clock. There is no fallback to 24Mhz as a clock is
now required.

Also remove a second call to of_clk_get which is unnecessary.

Signed-off-by: Tony Prisk <linux@prisktech.co.nz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agotty: serial: mpc5xxx: fix PSC clock name bug
Anatolij Gustschin [Sat, 9 Mar 2013 11:43:54 +0000 (12:43 +0100)]
tty: serial: mpc5xxx: fix PSC clock name bug

mpc512x platform clock code names PSC clocks as "pscX_mclk" but
the driver tries to get "pscX_clk" clock and this results in
errors like:

  mpc52xx-psc-uart 80011700.psc: Failed to get PSC clock entry!

The problem appears when opening ttyPSC devices other than the
system's serial console. Since getting and enabling the PSC clock
fails, uart port startup doesn't succeed and tty flag TTY_IO_ERROR
remains set causing further errors in tty ioctls, i.e.
'strace stty -F /dev/ttyPSC1' shows:

open("/dev/ttyPSC1", O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 3
dup2(3, 0)                              = 0
close(3)                                = 0
fcntl64(0, F_GETFL)                     = 0x10800 (flags O_RDONLY|O_NONBLOCK|O_LARGEFILE)
fcntl64(0, F_SETFL, O_RDONLY|O_LARGEFILE) = 0
ioctl(0, TCGETS, 0xbff89038)            = -1 EIO (Input/output error)

Only request PSC clock names that the platform actually provides.

Signed-off-by: Anatolij Gustschin <agust@denx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
11 years agovfs: fix pipe counter breakage
Al Viro [Tue, 12 Mar 2013 02:59:49 +0000 (02:59 +0000)]
vfs: fix pipe counter breakage

If you open a pipe for neither read nor write, the pipe code will not
add any usage counters to the pipe, causing the 'struct pipe_inode_info"
to be potentially released early.

That doesn't normally matter, since you cannot actually use the pipe,
but the pipe release code - particularly fasync handling - still expects
the actual pipe infrastructure to all be there.  And rather than adding
NULL pointer checks, let's just disallow this case, the same way we
already do for the named pipe ("fifo") case.

This is ancient going back to pre-2.4 days, and until trinity, nobody
naver noticed.

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
11 years agoARM: spear3xx: Use correct pl080 header file
Arnd Bergmann [Fri, 1 Mar 2013 23:10:30 +0000 (00:10 +0100)]
ARM: spear3xx: Use correct pl080 header file

The definitions have move around recently, causing build errors
in spear3xx for all configurations:

spear3xx.c:47:5: error: 'PL080_BSIZE_16' undeclared here (not in a function)
spear3xx.c:47:23: error: 'PL080_CONTROL_SB_SIZE_SHIFT' undeclared here (not in a function)
spear3xx.c:48:22: error: 'PL080_CONTROL_DB_SIZE_SHIFT' undeclared here (not in a function)

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Alessandro Rubini <rubini@gnudd.com>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
11 years agokeys: fix race with concurrent install_user_keyrings()
David Howells [Tue, 12 Mar 2013 05:44:31 +0000 (16:44 +1100)]
keys: fix race with concurrent install_user_keyrings()

This fixes CVE-2013-1792.

There is a race in install_user_keyrings() that can cause a NULL pointer
dereference when called concurrently for the same user if the uid and
uid-session keyrings are not yet created.  It might be possible for an
unprivileged user to trigger this by calling keyctl() from userspace in
parallel immediately after logging in.

Assume that we have two threads both executing lookup_user_key(), both
looking for KEY_SPEC_USER_SESSION_KEYRING.

THREAD A THREAD B
=============================== ===============================
==>call install_user_keyrings();
if (!cred->user->session_keyring)
==>call install_user_keyrings()
...
user->uid_keyring = uid_keyring;
if (user->uid_keyring)
return 0;
<==
key = cred->user->session_keyring [== NULL]
user->session_keyring = session_keyring;
atomic_inc(&key->usage); [oops]

At the point thread A dereferences cred->user->session_keyring, thread B
hasn't updated user->session_keyring yet, but thread A assumes it is
populated because install_user_keyrings() returned ok.

The race window is really small but can be exploited if, for example,
thread B is interrupted or preempted after initializing uid_keyring, but
before doing setting session_keyring.

This couldn't be reproduced on a stock kernel.  However, after placing
systemtap probe on 'user->session_keyring = session_keyring;' that
introduced some delay, the kernel could be crashed reliably.

Fix this by checking both pointers before deciding whether to return.
Alternatively, the test could be done away with entirely as it is checked
inside the mutex - but since the mutex is global, that may not be the best
way.

Signed-off-by: David Howells <dhowells@redhat.com>
Reported-by: Mateusz Guzik <mguzik@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
11 years agolibceph: fix decoding of pgids
Sage Weil [Wed, 6 Mar 2013 22:57:03 +0000 (14:57 -0800)]
libceph: fix decoding of pgids

In 4f6a7e5ee1393ec4b243b39dac9f36992d161540 we effectively dropped support
for the legacy encoding for the OSDMap and incremental.  However, we didn't
fix the decoding for the pgid.

Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Yehuda Sadeh <yehuda@inktank.com>
11 years agoreiserfs: Use kstrdup instead of kmalloc/strcpy
Ionut-Gabriel Radu [Sun, 10 Mar 2013 13:06:23 +0000 (15:06 +0200)]
reiserfs: Use kstrdup instead of kmalloc/strcpy

Signed-off-by: Ionut-Gabriel Radu <ihonius@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
11 years agoext3: Fix format string issues
Lars-Peter Clausen [Sat, 9 Mar 2013 14:28:44 +0000 (15:28 +0100)]
ext3: Fix format string issues

ext3_msg() takes the printk prefix as the second parameter and the
format string as the third parameter. Two callers of ext3_msg omit the
prefix and pass the format string as the second parameter and the first
parameter to the format string as the third parameter. In both cases
this string comes from an arbitrary source. Which means the string may
contain format string characters, which will
lead to undefined and potentially harmful behavior.

The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages
in ext3") and is fixed by this patch.

CC: stable@vger.kernel.org
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jan Kara <jack@suse.cz>
11 years agoquota: add missing use of dq_data_lock in __dquot_initialize
Jeff Mahoney [Wed, 27 Feb 2013 19:43:09 +0000 (14:43 -0500)]
quota: add missing use of dq_data_lock in __dquot_initialize

The bulk of __dquot_initialize runs under the dqptr_sem which
protects the inode->i_dquot pointers. It doesn't protect the
dereferenced contents, though. Those are protected by the
dq_data_lock, which is missing around the dquot_resv_space call.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
11 years agoArm: socfpga: pl330: Add #dma-cells for generic dma binding support
Padmavathi Venna [Mon, 4 Mar 2013 05:34:28 +0000 (11:04 +0530)]
Arm: socfpga: pl330: Add #dma-cells for generic dma binding support

This patch adds #dma-cells property to PL330 DMA controller nodes for
supporting generic dma dt bindings on SOCFPGA platform. #dma-channels
and #dma-requests are not required now but added in advance.

Signed-off-by: Padmavathi Venna <padma.v@samsung.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
11 years agoMerge tag 'mvebu_fixes_for_v3.9' of git://git.infradead.org/users/jcooper/linux into...
Arnd Bergmann [Mon, 11 Mar 2013 20:55:40 +0000 (21:55 +0100)]
Merge tag 'mvebu_fixes_for_v3.9' of git://git.infradead.org/users/jcooper/linux into fixes

mvebu fixes for v3.9 from Jason Cooper <jason@lakedaemon.net>:

The first four patches:

  89c58c1 rtc: rtc-mv: Add support for clk to avoid lockups
  de88747 gpio: mvebu: Add clk support to prevent lockup
  7bf5b40 ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels
  93fff4c ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency

are Cc'd to stable since they were held over from the previous merge window.

The rest are a small collection of fixes and a couple of devicetree conversion
catchups.

* tag 'mvebu_fixes_for_v3.9' of git://git.infradead.org/users/jcooper/linux:
  arm: mach-orion5x: fix typo in compatible string of a .dts file
  arm: mvebu: fix address-cells in mpic DT node
  arm: plat-orion: fix address decoding when > 4GB is used
  arm: mvebu: Reduce reg-io-width with UARTs
  ARM: Dove: add RTC device node
  arm: mvebu: enable the USB ports on Armada 370 Reference Design board
  ARM: dove: drop "select COMMON_CLK_DOVE"
  rtc: rtc-mv: Add support for clk to avoid lockups
  gpio: mvebu: Add clk support to prevent lockup
  ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels
  ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency

Signed-off-by: Arnd Bergmann <arnd@arndb.de>